That would eliminate a whole lot of what we call "progress" in technology and culture.''
It all depends on the details.
All too often, people take something that works and replace it by something that only does some of the things the old thing did, and most of them worse than the original. Think about forgetting to design some important piece of functionality into the new system, replacing a stable product that has received years of bug fixes with something decidedly more buggy, etc. This is why "if it isn't broken, don't fix it" is good advice.
Of course, that doesn't mean "if it isn't broken, don't ever touch it". If touching it at all causes Bad Things to happen, it is broken and it should be fixed. And even if it isn't broken, it makes sense sometimes to start over. You just have to be careful not to throw out the baby with the bath water.
``you have big sites with horrible AJAX interfaces that completely breaks page navigation. Yes, this applies to big websites like slashdot''
Oh, don't get me started. For a long time, Slashdot was a haven of sanity in the onslaught of broken Web 2.0 abominations. Now it's one of them. I pretty much can't use anything beyond the homepage without logging in (which enables somewhat simpler and saner code), and my own page is pretty much useless - I can't read my own comments and I can't see if someone else has replied to them.
With the new kids on sites like Digg and/b/ and what have you, and the old school being turned off by Slashdot's breakage, I wonder what is going to happen to the news site I used to love...
``'It irritates me to no end when software doesn't work,' Tanenbaum said. 'Having to reboot your computer is just a pain. The question is, can you make a system that actually works very well?'"''
You can. And it has been done. Software that doesn't work? Having to reboot your computer? This hasn't been bugging me for ages. Yet, Andy refuses to use the software I am using for some reason. Instead, he is trying to develop his own, but making it difficult for people to contribute. I like what I have heard about the plans for MINIX 3, but, this way, it's just not going to fly.
I congratulate the MINIX 3 team on what they have achieved, and I congrulate Andy and the rest on having secured funding, but I can't help but think that if they just cooperated with the great projects already out there, they could have achieved much more with much less funding.
Seriously. If you want something good today, use GNU or any of the BSDs. Or maybe a commercial Unix, or even OS X. And my guess is, if you want something good next year, the answer will be the same. Maybe even Windows will be a great choice by then. But MINIX? I'm not counting on it, grant or no grant.
``I don't have any references either. But it was a design goal for the HotSpot virtual machine.''
Was the design goal to yield faster programs than contemporary C++ compilers, or was the design goal simply to find a good compromise between compiling everything before running (long startup time but fast execution) and not compiling anything at run time (fast startup but slow execution)?
``Does this work as well in practice as in theory? You got me. But in the case of C++ native code, you can't even do it in theory.''
I have heard from several people that "Java is faster than C++". So I guess there must be some benchmarks on which some Java implementation has scored better than some C++ implementation. I would like to see those.
My comment wasn't about benchmarks, though, but about applications. And I really have yet to see an application written in Java that doesn't feel sluggish and a memory hog to me. I recognize that this is purely anecdotal and doesn't actually say anything at all about Java. It could just be that all Java applications I have seen are badly written.
As for C++ not being able to optimize hot spots in theory, I think you are quite wrong about that. As far as the theory goes, I think there is nothing that prevents a conforming implementation of C++ from doing so. In fact, you could do the same thing Sun's Java implementation does: compile to some non-native code, then do you best to write the fastest interpreter for that code, including run-time profiling, just-in-time compilation, and what have you.
In practice, I think it is more common to use profiling before creating the final, shipped binary. You compile your program, then you run it in a profiler (identifying the hot spots), and then you re-compile the program, using the profiling information to create a more efficient executable. This way, you get some of the benefits of HotSpot's run-time analysis and compilation, but with no run-time cost. The drawback is, of course, that you will do your optimizations based on how you _think_ your users will use the software, instead of based on measurements of how they are actually using it during the current run (as HotSpot does). Which approach yields the better results is an open question.
'They'll be doing themselves a disservice if, because of XPM, they're not making sure that all their apps support Windows 7.'
Is that like saying "They'll be doing themselves a disservice if, because of $virtual_machine_that_can_run_Windows_XP, they're not making sure that all their apps support Linux"?
Not all spending is the same. The government _should_ be spending money. Only they should be spending on things where the benefits to society outweigh the costs. Certain R&D projects do fall in that category.
``Does the public get any payback if research develops the Next Big Thing? Nope, the scientist goes off, gets a patent and gets wildly personally wealthy.''
``Intel, IBM and Sun basically duplicate a heck of a lot of work trying to do the same thing: make silicon add faster.''
But the competition between Intel and AMD is what has been driving CPU speeds up.
``Microsoft and the Linux community likewise do the same thing with operating systems.''
Again, there is a lot of progress being made because of competition between the various camps. Good features are being cloned, new features are being added, and performance and security are being improved.
``Flash/Silverlight/JavaFX/GWT: redundant.''
Perhaps. Or maybe we'll see some good come from it yet.
``PHP/Rails/J2EE/.Net: redundant.''
Rails gave a major boost to the web development landscape. Competition from.NET has caused Java to improve massively.
``And it's not just the companies that duplicate efforts. All their users and those who develop for these platforms duplicate efforts as well.''
This is true, and a lot of time and effort has been wasted. On the other hand, one has to wonder if we would really have been better off if that hadn't happened.
The trick is that having multiple projects that cater to the same market allows evolution to occur. Each project can move in its own direction, and the world will vote with its feet and cause the projects that make the best choices to thrive. This functionality can then be incorporated by the competing projects, or not, as they see fit. I do believe we end up with better results this way than if we wanted to always avoid duplication.
``I'm sure Oracle would have rather had Sun's implemenation all to themselves''
I'm not even sure about that. Oracle also push Linux, and though they contribute to it, most of the work is done by others. I am sure Oracle likes it that way. Why wouldn't they want the same for Java?
``Running Windows in a VM is actually the ideal solution. Do all your net connected stuff via a secure OS like Linux, then open up a few ports for the VM to run games or whatever.''
Will you actually get hardware accelerated 3D that way? I know it can be done with *nix and OpenGL, but can you run *nix on your hardware, then get hardware accelerated Direct3D and OpenGL in Windows running in a VM?
``I thought metastasizing was a perfect word to describe a project where scope creep has been replaced by scope gallop. One where new requirements seem to come from everywhere, sprouting from what was once a tightly defined product.''
My experience is that web applications tend to be like this. The barrier to entry is low and there is often a lot of competition. Once a competitor implements a good idea, there is a lot of pressure to duplicate that idea in your own product. If you opt to go this way, many traditional methods aren't going to do much good (you don't want to spend too much time on things that aren't coding). Rather, you want to engage the customer in the project and let them tell you which features they want while development is ongoing.
For example, instead of taking a couple of weeks at the beginning to decide on a feature set, write a design document, and get it approved, you may want to have weekly meetings where the customer decides what you will work on in the coming week.
Regardless of what strategy you employ, the single most important thing is to make sure that you and the customer are on the same page. Make sure you know what the customer wants, and make sure that the customer knows what they will be getting, and, especially, what they are not getting. If you think the customer is making a mistake, be sure to point that out to them. Try to get as many things recorded as possible, so that you can refer back to it later. This avoids misunderstandings and can help clear them up when they do arise.
My vision is to create, first of all, a network where any node can connect to any other node (unlike the current Internet, which has been infested by NAT).
Then, on top of that network, various interesting services can be built, including one that provides anonimity.
In interface, it could all be compatible with current IP networks, so that existing software can be used for it.
Does such a network exist already?
I've made some baby steps in implemeting one myself, but without much progress. One difficulty I've run into is that I can't seem to get tap devices to work (i.e. create something that looks like a network interface and then process the packets that go over that interface in my software). I get the device created and set up, but I'm not seeing any traffic on it.
When contemplating this, it is important to realize that participating in projects like I2P and (especially) TOR increases the chances of being cut of from the Internet or worse. After all, your IP address will be involved in criminal activities, and you will have no way to pass the buck to those who are really behind said activities.
OpenBSD does a very good job of auditing and hardening the base system. However, it has its shortcomings when it comes to security.
One such shortcoming is the effort that goes into maintenance. The maintenance burden is higher than it could be, and the higher the maintenance burden is, the more people will not perform proper maintenance on their systems. Security holes, in particular, tend to be laborious to fix.
Another shortcoming is that third-party software is hardly supported, let alone audited. It is one thing to have a very secure base system, but that isn't necessarily going to help if you run third-party software that has vulnerabilities in it.
This is not to knock the good work of the OpenBSD team (I feel they are one of very few operating system projects that take security seriously enough), but it is still important to know about the weaknesses.
I agree with you that Linux in general isn't a very safe bet when you want to be secure, especially not if you are worried about targeted attacks.
However, that does not mean that ``open source software, in it's current form, cannot defend against a concerted attack by any large groups of individuals. It can't be done.''
There is a project called OpenBSD which does exactly what you suggest open source projects don't do: conduct security audits of their whole system.
Personally, I would trust OpenBSD much more than I would any closed-source vendor. Also, OpenBSD has a number of security features that limit the impact of any vulnerabilities not caught by the audit process.
Also, Debian has an audit process that looks not only at the base system, but also at the packages that are included in the distribution. This does not cover all packages, but goes a whole lot further than what many vendors (particularly Microsoft) offer.
On the whole, I think you are being overly negative about security in the open source world, and too optimistic about security in the closed source world. From personal experience, I can tell you from personal experience that the idea that code in closed-source projects has to make it past "at least one code review" is simply wishful thinking. By contrast, the idea that code has to pass at least one review before being accepted is an actual reality in at least some open source projects (including Linux and OpenBSD).
So, while certainly not claiming that using Debian or even OpenBSD is a panacea for security, I have much more faith in those projects than in any closed source project.
I agree with your comments about these security features in Linux. And this is a great shame. It has been working in OpenBSD for ages. What's keeping Linux?
On the other hand, your post suggests that the situation is much better in Windows, and my understanding is that this is not the case. I have not personally verified this, but I've heard that ALSR is only enabled in Windows for certain system libraries and certain executables, while being disabled for virtually all third-party software. In other words, it's there, which is a huge step ahead of most Linux distros, but it's mostly unused, so its presence doesn't buy you much.
``what I don't understand is why they need to understand network technology. I don't know european law, but I'd imagine that its something similar to the DMCA. I would imagine that the DMCA isn't that ambiguous that you have to understand network technology to interpret it. it seems so basic to me, the site that hosts the content is in violation.''
``Those who invade copyright are regarded as knaves who take the bread out of the mouths of deserving men. Rob Malda is a blatant homosexual cock-sucking bastard. Everybody is well pleased...''
Slashdot Mirror
``Isn't anybody going to move a finger, while a significant part of our collective history disappears forever?''
Somebody is: the people who are archiving this stuff!
Besides this effort that seems focused on Geocities, there is also The Internet Archive's Wayback Machine.
``> you shouldn't fix what isn't broken.
That would eliminate a whole lot of what we call "progress" in technology and culture.''
It all depends on the details.
All too often, people take something that works and replace it by something that only does some of the things the old thing did, and most of them worse than the original. Think about forgetting to design some important piece of functionality into the new system, replacing a stable product that has received years of bug fixes with something decidedly more buggy, etc. This is why "if it isn't broken, don't fix it" is good advice.
Of course, that doesn't mean "if it isn't broken, don't ever touch it". If touching it at all causes Bad Things to happen, it is broken and it should be fixed. And even if it isn't broken, it makes sense sometimes to start over. You just have to be careful not to throw out the baby with the bath water.
``you have big sites with horrible AJAX interfaces that completely breaks page navigation. Yes, this applies to big websites like slashdot''
Oh, don't get me started. For a long time, Slashdot was a haven of sanity in the onslaught of broken Web 2.0 abominations. Now it's one of them. I pretty much can't use anything beyond the homepage without logging in (which enables somewhat simpler and saner code), and my own page is pretty much useless - I can't read my own comments and I can't see if someone else has replied to them.
With the new kids on sites like Digg and /b/ and what have you, and the old school being turned off by Slashdot's breakage, I wonder what is going to happen to the news site I used to love...
``'It irritates me to no end when software doesn't work,' Tanenbaum said. 'Having to reboot your computer is just a pain. The question is, can you make a system that actually works very well?'"''
You can. And it has been done. Software that doesn't work? Having to reboot your computer? This hasn't been bugging me for ages. Yet, Andy refuses to use the software I am using for some reason. Instead, he is trying to develop his own, but making it difficult for people to contribute. I like what I have heard about the plans for MINIX 3, but, this way, it's just not going to fly.
I congratulate the MINIX 3 team on what they have achieved, and I congrulate Andy and the rest on having secured funding, but I can't help but think that if they just cooperated with the great projects already out there, they could have achieved much more with much less funding.
Seriously. If you want something good today, use GNU or any of the BSDs. Or maybe a commercial Unix, or even OS X. And my guess is, if you want something good next year, the answer will be the same. Maybe even Windows will be a great choice by then. But MINIX? I'm not counting on it, grant or no grant.
``I don't have any references either. But it was a design goal for the HotSpot virtual machine.''
Was the design goal to yield faster programs than contemporary C++ compilers, or was the design goal simply to find a good compromise between compiling everything before running (long startup time but fast execution) and not compiling anything at run time (fast startup but slow execution)?
``Does this work as well in practice as in theory? You got me. But in the case of C++ native code, you can't even do it in theory.''
I have heard from several people that "Java is faster than C++". So I guess there must be some benchmarks on which some Java implementation has scored better than some C++ implementation. I would like to see those.
My comment wasn't about benchmarks, though, but about applications. And I really have yet to see an application written in Java that doesn't feel sluggish and a memory hog to me. I recognize that this is purely anecdotal and doesn't actually say anything at all about Java. It could just be that all Java applications I have seen are badly written.
As for C++ not being able to optimize hot spots in theory, I think you are quite wrong about that. As far as the theory goes, I think there is nothing that prevents a conforming implementation of C++ from doing so. In fact, you could do the same thing Sun's Java implementation does: compile to some non-native code, then do you best to write the fastest interpreter for that code, including run-time profiling, just-in-time compilation, and what have you.
In practice, I think it is more common to use profiling before creating the final, shipped binary. You compile your program, then you run it in a profiler (identifying the hot spots), and then you re-compile the program, using the profiling information to create a more efficient executable. This way, you get some of the benefits of HotSpot's run-time analysis and compilation, but with no run-time cost. The drawback is, of course, that you will do your optimizations based on how you _think_ your users will use the software, instead of based on measurements of how they are actually using it during the current run (as HotSpot does). Which approach yields the better results is an open question.
``Did you know that java is often faster than C++ today? Did you know google uses java extensively for server applications?''
No, actually I didn't. Do you have any references for those claims? They sound entirely plausible to me, but that doesn't make them true.
'They'll be doing themselves a disservice if, because of XPM, they're not making sure that all their apps support Windows 7.'
Is that like saying "They'll be doing themselves a disservice if, because of $virtual_machine_that_can_run_Windows_XP, they're not making sure that all their apps support Linux"?
Not all spending is the same. The government _should_ be spending money. Only they should be spending on things where the benefits to society outweigh the costs. Certain R&D projects do fall in that category.
``Does the public get any payback if research develops the Next Big Thing? Nope, the scientist goes off, gets a patent and gets wildly personally wealthy.''
LOL. I wish.
``Intel, IBM and Sun basically duplicate a heck of a lot of work trying to do the same thing: make silicon add faster.''
But the competition between Intel and AMD is what has been driving CPU speeds up.
``Microsoft and the Linux community likewise do the same thing with operating systems.''
Again, there is a lot of progress being made because of competition between the various camps. Good features are being cloned, new features are being added, and performance and security are being improved.
``Flash/Silverlight/JavaFX/GWT: redundant.''
Perhaps. Or maybe we'll see some good come from it yet.
``PHP/Rails/J2EE/.Net: redundant.''
Rails gave a major boost to the web development landscape. Competition from .NET has caused Java to improve massively.
``And it's not just the companies that duplicate efforts. All their users and those who develop for these platforms duplicate efforts as well.''
This is true, and a lot of time and effort has been wasted. On the other hand, one has to wonder if we would really have been better off if that hadn't happened.
The trick is that having multiple projects that cater to the same market allows evolution to occur. Each project can move in its own direction, and the world will vote with its feet and cause the projects that make the best choices to thrive. This functionality can then be incorporated by the competing projects, or not, as they see fit. I do believe we end up with better results this way than if we wanted to always avoid duplication.
``I'm sure Oracle would have rather had Sun's implemenation all to themselves''
I'm not even sure about that. Oracle also push Linux, and though they contribute to it, most of the work is done by others. I am sure Oracle likes it that way. Why wouldn't they want the same for Java?
``Performance issues used to be a big problem with Java. That's long since been solved.''
Say what you will, but I have yet to use the first Java program that doesn't hog memory and feel sluggish.
``Running Windows in a VM is actually the ideal solution. Do all your net connected stuff via a secure OS like Linux, then open up a few ports for the VM to run games or whatever.''
Will you actually get hardware accelerated 3D that way? I know it can be done with *nix and OpenGL, but can you run *nix on your hardware, then get hardware accelerated Direct3D and OpenGL in Windows running in a VM?
``Copyright laws where intended to promote creativity from artists,''
That may be true of copyright in the USA, but is the same true of European copyright law?
``I thought metastasizing was a perfect word to describe a project where scope creep has been replaced by scope gallop. One where new requirements seem to come from everywhere, sprouting from what was once a tightly defined product.''
My experience is that web applications tend to be like this. The barrier to entry is low and there is often a lot of competition. Once a competitor implements a good idea, there is a lot of pressure to duplicate that idea in your own product. If you opt to go this way, many traditional methods aren't going to do much good (you don't want to spend too much time on things that aren't coding). Rather, you want to engage the customer in the project and let them tell you which features they want while development is ongoing.
For example, instead of taking a couple of weeks at the beginning to decide on a feature set, write a design document, and get it approved, you may want to have weekly meetings where the customer decides what you will work on in the coming week.
Regardless of what strategy you employ, the single most important thing is to make sure that you and the customer are on the same page. Make sure you know what the customer wants, and make sure that the customer knows what they will be getting, and, especially, what they are not getting. If you think the customer is making a mistake, be sure to point that out to them. Try to get as many things recorded as possible, so that you can refer back to it later. This avoids misunderstandings and can help clear them up when they do arise.
``it totally breaks all that added security you where supposed to get through virtualization.''
I've never understood how virtualization is supposed to enhance security, anyway.
My vision is to create, first of all, a network where any node can connect to any other node (unlike the current Internet, which has been infested by NAT).
Then, on top of that network, various interesting services can be built, including one that provides anonimity.
In interface, it could all be compatible with current IP networks, so that existing software can be used for it.
Does such a network exist already?
I've made some baby steps in implemeting one myself, but without much progress. One difficulty I've run into is that I can't seem to get tap devices to work (i.e. create something that looks like a network interface and then process the packets that go over that interface in my software). I get the device created and set up, but I'm not seeing any traffic on it.
When contemplating this, it is important to realize that participating in projects like I2P and (especially) TOR increases the chances of being cut of from the Internet or worse. After all, your IP address will be involved in criminal activities, and you will have no way to pass the buck to those who are really behind said activities.
OpenBSD does a very good job of auditing and hardening the base system. However, it has its shortcomings when it comes to security.
One such shortcoming is the effort that goes into maintenance. The maintenance burden is higher than it could be, and the higher the maintenance burden is, the more people will not perform proper maintenance on their systems. Security holes, in particular, tend to be laborious to fix.
Another shortcoming is that third-party software is hardly supported, let alone audited. It is one thing to have a very secure base system, but that isn't necessarily going to help if you run third-party software that has vulnerabilities in it.
This is not to knock the good work of the OpenBSD team (I feel they are one of very few operating system projects that take security seriously enough), but it is still important to know about the weaknesses.
I agree with you that Linux in general isn't a very safe bet when you want to be secure, especially not if you are worried about targeted attacks.
However, that does not mean that ``open source software, in it's current form, cannot defend against a concerted attack by any large groups of individuals. It can't be done.''
There is a project called OpenBSD which does exactly what you suggest open source projects don't do: conduct security audits of their whole system.
Personally, I would trust OpenBSD much more than I would any closed-source vendor. Also, OpenBSD has a number of security features that limit the impact of any vulnerabilities not caught by the audit process.
Also, Debian has an audit process that looks not only at the base system, but also at the packages that are included in the distribution. This does not cover all packages, but goes a whole lot further than what many vendors (particularly Microsoft) offer.
On the whole, I think you are being overly negative about security in the open source world, and too optimistic about security in the closed source world. From personal experience, I can tell you from personal experience that the idea that code in closed-source projects has to make it past "at least one code review" is simply wishful thinking. By contrast, the idea that code has to pass at least one review before being accepted is an actual reality in at least some open source projects (including Linux and OpenBSD).
So, while certainly not claiming that using Debian or even OpenBSD is a panacea for security, I have much more faith in those projects than in any closed source project.
I agree with your comments about these security features in Linux. And this is a great shame. It has been working in OpenBSD for ages. What's keeping Linux?
On the other hand, your post suggests that the situation is much better in Windows, and my understanding is that this is not the case. I have not personally verified this, but I've heard that ALSR is only enabled in Windows for certain system libraries and certain executables, while being disabled for virtually all third-party software. In other words, it's there, which is a huge step ahead of most Linux distros, but it's mostly unused, so its presence doesn't buy you much.
``p.s. their income taxes are lower than ours in most cases.''
Got any references for that?
``what I don't understand is why they need to understand network technology. I don't know european law, but I'd imagine that its something similar to the DMCA. I would imagine that the DMCA isn't that ambiguous that you have to understand network technology to interpret it. it seems so basic to me, the site that hosts the content is in violation.''
But who is talking about hosting the content?
``Is there anyone outside of CEOs that really agrees with the sort of copyright policy we currently have?''
I bet there are some lawyers who enjoy the current law.
Quoth the parent:
``Those who invade copyright are regarded as knaves who take the bread out of the mouths of deserving men. Rob Malda is a blatant homosexual cock-sucking bastard. Everybody is well pleased ...''